Skip to main content
SpringerLink
Log in

Cyber risk research in business and actuarial science

  • Survey Paper
  • Published:
European Actuarial Journal Aims and scope Submit manuscript

Abstract

We review the academic literature on “cyber risk” and “cyber insurance” in the fields of business (management, economics, finance, risk management and insurance) and actuarial science. Our results show that cyber risk is an increasingly important research topic in many disciplines, but one that so far has received little attention in business and actuarial science. Business research has documented the manifold detrimental effects of cyber risks using event studies and scenario analyses, while economic research is especially concerned with trade-offs between different risk management activities. Quantitative research including papers published in actuarial journals mainly focuses on loss modelling, especially taking dependencies and network structure into account. We categorize the empirical literature on cyber risk to filter out what we know on the frequency, severity and dependence structure of cyber risk. Finally, we list open research questions which demonstrate that cyber risk research is still in its infancy and that there is ample room for future research.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1

Similar content being viewed by others

Notes

  1. As shown in “Appendix A”, research on cyber risk and cyber insurance was scarce until 2010, but since then it has grown exponentially, emphasizing the increasing practical and academic relevance of the topic. We also note a number of working parties studying cyber risk from a more applied perspective for professional organizations, such as the Society of Actuaries (SOA), the International Actuarial Association (IAA) or the Canadian Institute of Actuaries.

  2. The selection of journals in management, finance and economics is based on the journal ranking of the German Academic Association of Business Research (VHB-Jourqual 3; see https://vhbonline.org/vhb4you/vhb-jourqual). The journals are presented in alphabetical order.

  3. The only exception is the Geneva Papers on Risk and Insurance which published a special issue on cyber risk in 2018 and will publish another special issue this year.

  4. The search strategy certainly has limitations, so our selection of papers should not necessarily be considered comprehensive. One example is that articles that do not contain the words “cyber risk” or “cyber insurance” in the title, abstract or key words are not included in the list. One example is the often-cited article on data breaches by Romanonsky et al. [66]. Still the selection of papers should provide a good overview of research in the different fields.

  5. Bai [5] focuses on sentiment analysis from online texts and is the only one in the set of 40 articles that is just loosely related to the topic of cyber risk. The author proposes a Markov blanket model to capture dependencies among words and provide a vocabulary for extracting sentiments. The advantages of their approach compared to other state-of-the-art algorithms for sentiment analysis is illustrated in two applications (online movie reviews, online news). The article is included in the review, because the authors position their tool not only to gauge online customers' preferences for economic or marketing research, but also for detecting cyber risk and security threats.

  6. They also show that stock prices of information security providers increase on average in value by 1.36% or US$1.06 billion after the announcement of another company’s security breach.

  7. Other analyses on related topics are Srinidhi, Yan and Tayi [75]; Johnson, Böhme and Grossklags [49] and Pal et al. [62]. Srinidhi, Yan and Tayi [75] show that cyber insurance has the effect of reducing managers' overinvestment in specific security-enhancing assets. Johnson, Böhme and Grossklags [49] present security games with market insurance. Pal et al. [62] ask whether cyber insurance can improve the security in a network and show that in equilibrium insurers cannot make more than zero expected profits, again questioning the insurability of cyber risk.

  8. Romanosky [64] provides a first attempt to quantify the costs of cyber events considering US data from Advisen; he mainly presents descriptive statistics that can be used to validate and verify the plausibility cyber loss estimates; moreover, he presents a logistic regression model to analyze the costs of cyber events, but for data breaches only. Furthermore, a few industry studies exist (NetDilligence [59]; Ponemon [47]) that also are of descriptive nature.

  9. Another related modelling paper is Eling and Loperfido [27] who consider the PRC dataset and use multidimensional scaling and goodness-of-fit tests to analyze the distribution of data breach information. The results show that different types of data breaches need to be modeled as distinct risk categories. For severity modeling, the log-skew-normal distribution provides promising results. The findings add to the discussion on the use of skewed distributions in actuarial modeling (Vernic [30]; Bolancé et al. [12]; Eling [25]) and provide insights for actuaries working on the implementation of cyber insurance policies.

  10. The largest cyber loss has been WannaCry which resulted in a US$8 billion economic loss (Gallin [38]). Mahalingam et al. [53] illustrate that for an event to have an impact on the capital market, at least an economic loss of US$1 trillion (or at least 1–2% world GDP) is necessary. This extreme magnitude that is necessary to create a systematic impact is very likely also the reason why event studies for other catastrophic events come to more mixed and inconclusive results.

References

  1. Anderson R, Moore T (2006) The economics of information security. Science 314:610–613

    Google Scholar 

  2. Ashby S, Buck T, Nöth-Zahn S, Peisl T (2018) Emerging IT risks: Insights from German banking. Geneva Pap Risk Insur Issues Pract 43:180–207

    Google Scholar 

  3. Augsburger-Bucheli I, Bangerter E, Brunoni L et al (2017) Forschung zu Cyber-Risiken in der Schweiz. Bern. https://www.isb.admin.ch/dam/isb_kp/de/dokumente/themen/ncs/Expertenbericht_forschung.pdf.download.pdf/Expertenbericht_forschung.pdf

  4. August T, Dao D, Kim K (2019) Market segmentation and software security: pricing patching rights. Manage Sci 65:4575–4597

    Google Scholar 

  5. Bai X (2011) Predicting consumer sentiments from online text. Decision Support Syst 50:732–742

    Google Scholar 

  6. Bandyopadhyay T, Mookerjee V, Rao R (2009) Why IT managers don’t go for cyber-insurance products. Commun ACM 52:68–73

    Google Scholar 

  7. Bentley M, Stephenson A, Toscas P, Zhu Z (2020) A multivariate model to quantify and mitigate cybersecurity risk. Risks 8:61

    Google Scholar 

  8. Berliner B (1982) Limits of insurability of risks. Englewood Cliffs, New Jersey

    Google Scholar 

  9. Biancotti C (2017) The price of cyber (in)security: evidence from the Italian private sector. In: Bank of Italy occasional paper

  10. Biener C, Eling M, Wirfs JH (2015) Insurability of cyber risk: an empirical analysis. Geneva Pap Risk Insur Issues Pract 40:131–158

    Google Scholar 

  11. Böhme R, Kataria G (2006) Models and measures for correlation in cyber-insurance. Boston. https://www.econinfosec.org/archive/weis2006/docs/16.pdf

  12. Bolance C, Guillen M, Pelican E, Vernic R (2008) Skewed bivariate models and nonparametric estimation for the CTE risk measure. Insur Math Econ 43:386–393

    MathSciNet  MATH  Google Scholar 

  13. Campbell K, Gordon LA, Loeb MP, Zhou L (2003) The economic cost of publicly announced information security breaches: empirical evidence from the stock market. J Comput Secur 11:431–448

    Google Scholar 

  14. Cartagena S, Gosrani V, Grewal J, Pikinska J (2020) Silent cyber assessment framework. Br Actuarial J 2020:25

    Google Scholar 

  15. Cavusoglu H, Mishra B, Raghunathan S (2004) The effect of internet security breach announcements on market value: capital market reactions for breached firms and internet security developers. Int J Electron Commerce 9:69–104

    Google Scholar 

  16. Cebula J, Young L (2010) A taxonomy of operational cyber security risks. Carnegie Mellon, https://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9395

  17. Ceross A, Simpson A (2017) The use of data protection regulatory actions as a data source for privacy economics. In: Tonetta S, Schoitsch E, Bitsch F (eds) Computer safety, reliability, and security. Springer International Publishing, Cham, pp 350–360

    Google Scholar 

  18. Daffron J, Ruffle S, Andrew C, et al (2019) Bashe attack: Global infection by contagious malware. Cambridge Centre for Risk Studies, Lloyd’s of London and Nanyang Technological University. https://www.lloyds.com/news-and-risk-insight/risk-reports/library/technology/bashe-attack

  19. Dal Moro E (2020) Towards an economic cyber loss index for parametric cover based on IT security indicator: a preliminary analysis. Risks 8:45

    Google Scholar 

  20. de Smidt G, Botzen W (2018) Perceptions of corporate cyber risks and insurance decision-making. Geneva Pap Risk Insur Issues Pract 43:239–274

    Google Scholar 

  21. Dejung S (2017) Economic impact of cyber accumulation scenarios. Swiss Insurance Association SVV Cyber Working Group, Zürich. https://www.vvb-alumni.de/wp-content/uploads/2020/03/Economic_impact_Cyber_loss_accumulation_scenarios_SVV.pdf

  22. Dondossola G, Garrone F, Szanto J (2011) Cyber risk assessment of power control systems—a metrics weighed by attack experiments. In: 2011 IEEE power and energy society general meeting, pp 1–9

  23. Edwards B, Hofmeyr S, Forrest S (2016) Hype and heavy tails: a closer look at data breaches. J Cybersecur 2:3–14

    Google Scholar 

  24. Egan R, Cartagena S, Mohamed R et al (2019) Cyber operational risk scenarios for insurance companies. Br Actuarial J 2019:24

    Google Scholar 

  25. Eling M (2012) Fitting insurance claims to skewed distributions: are the skew-normal and skew-student good models? Insur Math Econ 51:239–248

    MathSciNet  Google Scholar 

  26. Eling M, Jung K (2018) Copula approaches for modeling cross-sectional dependence of data breach losses. Insur Math Econ 82:167–180

    MathSciNet  MATH  Google Scholar 

  27. Eling M, Loperfido N (2017) Data breaches: goodness of fit, pricing, and risk measurement. Insur Math Econ 75:126–136

    MathSciNet  MATH  Google Scholar 

  28. Eling M, Schnell W (2020) Extreme cyber risks and the nondiversification trap. Working Paper University of St. Gallen. https://www.alexandria.unisg.ch/260004/

  29. Eling M, Schnell W (2016) What do we know about cyber risk and cyber risk insurance? J Risk Financ 17:474–491

    Google Scholar 

  30. Eling M, Schnell W (2019) Capital requirements for cyber risk and cyber risk insurance: an analysis of solvency II, the US Risk-based capital standards, and the swiss solvency test. N Am Actuarial J 2019:1–23

    Google Scholar 

  31. Eling M, Wirfs J (2019) What are the actual costs of cyber risk events? Eur J Oper Res 272:1109–1119

    Google Scholar 

  32. Eling M, Zhu J (2018) Which insurers write cyber insurance? Evidence from the US property and casualty insurance industry. J Insur Issues 41:22–56

    Google Scholar 

  33. Fahrenwaldt MA, Weber S, Weske K (2018) Pricing of cyber insurance contracts in a network model. ASTIN Bull J IAA 48:1175–1218

    MathSciNet  MATH  Google Scholar 

  34. Falco G, Eling M, Jablanski D et al (2019) Cyber risk research impeded by disciplinary barriers. Science 366:1066–1069

    Google Scholar 

  35. Long Finance (2015) Financing the transition: sustainable infrastructure in cities. Z/Yen Group, London. https://www.longfinance.net/media/documents/Financing_the_transition_March2015.pdf

  36. Franke U, Holm H, König J (2014) The distribution of time to recovery of enterprise it services. IEEE Trans Reliab 63:858–867

    Google Scholar 

  37. Gai K, Qiu M, Elnagdy S (2016) A novel secure big data cyber incident analytics framework for cloud-based cybersecurity insurance. In: 2016 IEEE 2nd international conference on big data security on cloud (BigDataSecurity), IEEE international conference on high performance and smart computing (HPSC), and IEEE international conference on intelligent data and security (IDS, pp 171–176

  38. Gallin L (2017) Re/insurance to take minimal share of $8 billion WannaCry economic loss: A.M. Best. In: ReinsuranceNews. https://www.reinsurancene.ws/reinsurance-take-minimal-share-8-billion-wannacry-economic-loss-m-best/. Accessed 31 Jul 2020

  39. Gordon LA, Loeb M (2002) The economics of information security investment. ACM Trans Inf Syst Secur 5:438–457

    Google Scholar 

  40. Gordon L, Loeb M, Sohail T (2003) A framework for using insurance for cyber-risk management. Commun ACM 46:81–85

    Google Scholar 

  41. Heitzenrater CD, Simpson AC (2016) Policy, statistics and questions: Reflections on UK cyber security disclosures. J Cybersecur 2:43–56

    Google Scholar 

  42. Herath H, Herath T (2011) Copula-based actuarial model for pricing cyber-insurance policies. Insur Markets Companies Anal Actuarial Comput 2:7–20

    Google Scholar 

  43. Hoang DT, Wang P, Niyato D, Hossain E (2017) Charging and discharging of plug-in electric vehicles (pevs) in vehicle-to-grid (v2g) systems: a cyber insurance-based model. IEEE Access. https://doi.org/10.1109/ACCESS.2017.2649042

    Article  Google Scholar 

  44. Hofmann A, Ramaj H (2011) Interdependent risk networks: the threat of cyber attack. Int J Manage Decision Making 11:312–323

    Google Scholar 

  45. Hofmann A, Rothschild C (2019) On the efficiency of self-protection with spillovers in risk. Geneva Risk Insur Rev 44:207–221

    Google Scholar 

  46. Hovav A, D’Arcy J (2003) The impact of denial-of-service attack announcements on the market value of firms. Risk Manag Insur Rev 6:97–121

    Google Scholar 

  47. Ponemon Institute (2017) 2017 cost of data breach study. Traverse City. https://www.ibm.com/downloads/cas/ZYKLN2E3

  48. Jevtić P, Lanchier N (2020) Dynamic structural percolation model of loss distribution for cyber risk of small and medium-sized enterprises for tree-based LAN topology. Insur Math Econ 91:209–223

    MathSciNet  MATH  Google Scholar 

  49. Johnson B, Böhme R, Grossklags J (2011) Security games with market insurance. In: Baras JS, Katz J, Altman E (eds) Decision and game theory for security. Springer, Berlin, Heidelberg, pp 117–130

    MATH  Google Scholar 

  50. Kamiya S, Kang J-K, Kim J et al (2020) Risk management, firm reputation, and the impact of successful cyberattacks on target firms. J Financ Econ. https://doi.org/10.1016/j.jfineco.2019.05.019

    Article  Google Scholar 

  51. Kelly S, Leverett E, Copic J et al (2016) Integrated infrastructure: cyber resiliency in society: mapping the consequences of an interconnected digital economy. In: Centre for Risk Studies, University of Cambridge. https://www.jbs.cam.ac.uk/faculty-research/centres/risk/publications/technology-and-space/integrated-infrastructure-cyber-resiliency-in-society/

  52. Lloyd’s (2015) Business blackout: The insurance implications of a cyber attack on the US power grid. https://www.lloyds.com/news-and-risk-insight/risk-reports/library/society-and-security/business-blackout. Accessed 31 Jul 2020

  53. Mahalingam A, Coburn AW, Jung CJ, et al (2018) Impacts of severe natural catastrophes on financial markets. Centre for Risk Studies, University of Cambridge. https://www.jbs.cam.ac.uk/faculty-research/centres/risk/publications/natural-catastrophe-and-climate/impacts-of-severe-natural-catastrophes-on-financial-markets/

  54. Maillart T, Sornette D (2010) Heavy-tailed distribution of cyber-risks. Eur Phys J B 75:357–364

    MATH  Google Scholar 

  55. Marotta A, McShane M (2018) Integrating a proactive technique into a holistic cyber risk management approach. Risk Manag Insur Rev 21:435–452

    Google Scholar 

  56. Marotta A, Martinelli F, Nanni S et al (2017) Cyber-insurance survey. Comput Sci Rev 24:35–61

    Google Scholar 

  57. McQueen M, Boyer W, Flynn M, Beitel G (2006) Time-to-compromise model for cyber risk reduction estimation. In: Gollmann D, Massacci F, Yautsiukhin A (eds) Quality of protection. Springer, New York, pp 49–64

    Google Scholar 

  58. Mukhopadhyay A, Chatterjee S, Saha D et al (2013) Cyber-risk decision models: to insure IT or not? Decision Support Syst 56:11–26

    Google Scholar 

  59. NetDiligence (2016) 2016 cyber claims study. Gladwyne, PA. https://netdiligence.com/wp-content/uploads/2016/10/P02_NetDiligence-2016-Cyber-Claims-Study-ONLINE.pdf

  60. Nikolakopoulos T, Darra E, Tofan D (2016) The cost of incidents affecting CIIsSystematic review of studies concerning the economic impact of cyber-security incidents on critical information infrastructures (CII). In: ENISA, Herklion. https://www.enisa.europa.eu/publications/the-cost-of-incidents-affecting-ciis

  61. Oughton E, Copic J, Skelton A et al (2016) Helios solar storm scenario. Centre for Risk Studies, University of Cambridge. https://www.jbs.cam.ac.uk/faculty-research/centres/risk/publications/technology-and-space/helios-solar-storm-scenario/

  62. Pal R, Golubchik L, Psounis K, Hui P (2014) Will cyber-insurance improve network security? A market analysis. In: IEEE INFOCOM 2014—IEEE conference on computer communications, pp 235–243

  63. Pooser DM, Browne MJ, Arkhangelska O (2018) Growth in the perception of cyber risk: evidence from US P&C insurers. Geneva Pap Risk Insur Issues Pract 43:208–223

    Google Scholar 

  64. Romanosky S (2016) Examining the costs and causes of cyber incidents. J Cyber Secur 2:121–135

    Google Scholar 

  65. Risk Management Solutions Inc. (2016) Managing cyber insurance accumulation risk. In: Centre for Risk Studies, Cambridge. https://www.jbs.cam.ac.uk/faculty-research/centres/risk/publications/technology-and-space/cyber-risk-outlook/managing-cyber-insurance-accumulation-risk-2016/

  66. Romanosky S, Telang R, Acquisti A (2011) Do data breach disclosure laws reduce identity theft? J Policy Anal Manag 30:256–286

    Google Scholar 

  67. Romanosky S, Hoffman D, Acquisti A (2014) Empirical analysis of data breach litigation. J Empir Legal Stud 11:74–104

    Google Scholar 

  68. Ruffle SJ, Bowman G, Caccioli F et al (2014) Stress Test Scenario: Sybil Logic Bomb Cyber Catastrophe. In: Centre for Risk Studies, University of Cambridge. https://www.jbs.cam.ac.uk/faculty-research/centres/risk/publications/technology-and-space/sybil-logic-bomb-cyber-catastrophe-stress-test-scenario/

  69. Schnell W (2020) Does cyber risk pose a systemic threat to the insurance industry? Working Paper University of St. Gallen. https://www.alexandria.unisg.ch/260003/

  70. Schroeder B, Gibson GA (2010) A large-scale study of failures in high-performance computing systems. IEEE Trans Depend Secure Comput 7:337–350

    Google Scholar 

  71. Shackelford SJ (2012) Should your firm invest in cyber risk insurance? Bus Horiz 55:349–356

    Google Scholar 

  72. Shetty N, Schwartz G, Felegyhazi M, Walrand J (2010) Competitive cyber-insurance and internet security. In: Moore T, Pym D, Ioannidis C (eds) Economics of information security and privacy. Springer, Boston, pp 229–247

    Google Scholar 

  73. Shetty S, McShane M, Zhang L et al (2018) Reducing informational disadvantages to improve cyber risk management. Geneva Pap Risk Insur Issues Pract 43:224–238

    Google Scholar 

  74. Sinanaj G, Muntermann J (2013) Assessing corporate reputational damage of data breaches: an empirical analysis. BLED 2013 Proc 2013:29

    Google Scholar 

  75. Srinidhi B, Yan J, Tayi GK (2015) Allocation of resources to cyber-security: the effect of misalignment of interest between managers and investors. Decision Support Syst 75:49–62

    Google Scholar 

  76. Trautman LJ, Ormerod P (2019) Wannacry, ransomware, and the emerging threat to corporations. Tennessee Law Rev 86:505–556

    Google Scholar 

  77. Verizon LLC (2018) 2018 data breach investigations report. New York. https://enterprise.verizon.com/resources/reports/DBIR_2018_Report.pdf

  78. Vernic R (2006) Multivariate skew-normal distributions with applications in insurance. Insur Math Econ 38:413–426

    MathSciNet  MATH  Google Scholar 

  79. Vishwanath A, Harrison B, Ng YJ (2018) Suspicion, cognition, and automaticity model of phishing susceptibility. Commun Res 45:1146–1166

    Google Scholar 

  80. Wheatley S, Maillart T, Sornette D (2016) The extreme risk of personal data breaches and the erosion of privacy. Eur Phys J B 89:7

    Google Scholar 

  81. Woods DW, Moore T, Simpson AC (2019) The county fair cyber loss distribution: drawing inferences from insurance prices. Boston, MA

  82. World Economic Forum (2010) The global competitiveness report 2010–2011. World Economic Forum, Geneva. https://www3.weforum.org/docs/WEF_GlobalCompetitivenessReport_2010-11.pdf

  83. Xu M, Hua L (2019) Cybersecurity insurance: modeling and pricing. N Am Actuarial J 23:220–249

    MathSciNet  MATH  Google Scholar 

  84. Xu M, Schweitzer KM, Bateman RM, Xu S (2018) Modeling and predicting cyber hacking breaches. IEEE Trans Inf Forensics Secur 13:2856–2871

    Google Scholar 

Download references

Acknowledgements

I thank Sebastian Kimm-Friedenberg and Werner Schnell for their assistance in preparing this paper.

Funding

None.

Author information

Authors and Affiliations

  1. University of St. Gallen, St. Gallen, Switzerland

    Martin Eling

Authors
  1. Martin Eling
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Martin Eling.

Ethics declarations

Conflict of interest

The author(s) declare that they have no conflicts of interest.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendices

Appendix A: Google Scholar Citations

See Table

Table 7 Google Scholar citations as of April 09, 2020
Full size table

7 and Fig. 

Fig. 2
figure 2

Google Scholar citations as of April 09, 2020

Full size image

2.

Appendix B: Visualization Treemap on “Cyber Insurance”

See Fig. 

Fig. 3
figure 3

Visualization Treemap for 95 hits on “cyber insurance” in the Web of Science as of March 30, 2020

Full size image

3.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Eling, M. Cyber risk research in business and actuarial science. Eur. Actuar. J. 10, 303–333 (2020). https://doi.org/10.1007/s13385-020-00250-1

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s13385-020-00250-1

Keywords

Search

Navigation